hp - Dave's Blog

Search

Let's Encrypt NearlyFreeSpeech.net Setup

2016 Feb 4, 2:48

2016-Nov-5: Updated post on using Let's Encrypt with NearlyFreeSpeech.net

I use NearlyFreeSpeech.net for my webhosting for my personal website and I've just finished setting up TLS via Let's Encrypt. The process was slightly more complicated than what you'd like from Let's Encrypt. So for those interested in doing the same on NearlyFreeSpeech.net, I've taken the following notes.

The standard Let's Encrypt client requires su/sudo access which is not available on NearlyFreeSpeech.net's servers. Additionally NFSN's webserver doesn't have any Let's Encrypt plugins installed. So I used the Let's Encrypt Without Sudo client. I followed the instructions listed on the tool's page with the addition of providing the "--file-based" parameter to sign_csr.py.

One thing the script doesn't produce is the chain file. But this topic "Let's Encrypt - Quick HOWTO for NSFN" covers how to obtain that:

curl -o domain.chn https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem

Now that you have all the required files, on your NFSN server make the directory /home/protected/ssl and copy your files into it. This is described in the NFSN topic provide certificates to NFSN. After copying the files and setting their permissions as described in the previous link you submit an assistance request. For me it was only 15 minutes later that everything was setup.

After enabling HTTPS I wanted to have all HTTP requests redirect to HTTPS. The normal Apache documentation on how to do this doesn't work on NFSN servers. Instead the NFSN FAQ describes it in "redirect http to https and HSTS". You use the X-Forwarded-Proto instead of the HTTPS variable because of how NFSN's virtual hosting is setup.

RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]

Turning on HSTS is as simple as adding the HSTS HTTP header. However, the description in the above link didn't work because my site's NFSN realm isn't on the latest Apache yet. Instead I added the following to my .htaccess. After I'm comfortable with everything working well for a few days I'll start turning up the max-age to the recommended minimum value of 180 days.

Header set Strict-Transport-Security "max-age=3600;" 

Finally, to turn on CSP I started up Fiddler with my CSP Fiddler extension. It allows me to determine the most restrictive CSP rules I could apply and still have all resources on my page load. From there I found and removed inline script and some content loaded via http and otherwise continued tweaking my site and CSP rules.

After I was done I checked out my site on SSL Lab's SSL Test to see what I might have done wrong or needed improving. The first time I went through these steps I hadn't included the chain file which the SSL Test told me about. I was able to add that file to the same files I had already previously generated from the Let's Encrypt client and do another NFSN assistance request and 15 minutes later the SSL Test had upgraded me from 'B' to 'A'.

PermalinkCommentscertificate csp hsts https lets-encrypt nearlyfreespeech.net

Retweet of ericlaw

2015 Dec 22, 7:08
I want users to win. I want the web to win, and I want to make life harder for bad guys every day. My next role: http://textslashplain.com/2015/12/23/my-next-adventure/ …
PermalinkComments

Tweet from David_Risney

2015 Nov 17, 8:41
SMBC on the topic of bacon cancer http://www.smbc-comics.com/index.php?id=3930 …
PermalinkComments

Retweet of FTC

2015 Nov 4, 6:03
Our #StartWithSecurity workshop starts now. Watch live: https://player.streamspot.com/simple/live.php?cn=f9a676ee&aspect=true&w=1280&h=720&noArchiveBtn=true&noLiveBtn=true … Agenda: https://www.ftc.gov/news-events/events-calendar/2015/11/start-security-austin …
PermalinkComments

Retweet of Zak_Bagans

2015 Oct 20, 7:21
Almost uncanny #BackToFutureDay pic.twitter.com/DEUlnWHpFh
PermalinkComments

Retweet of tinysubversions

2015 Oct 12, 9:37
This is cool as heck http://www.wired.com/2015/10/margaret-hamilton-nasa-apollo/?mbid=social_twitter#slide-1 … pic.twitter.com/BCnBDsSy8V
PermalinkComments

Tweet from David_Risney

2015 Aug 16, 2:31
Economics solve ethical quandaries: http://www.smbc-comics.com/index.php?id=3831 …
PermalinkComments

Tweet from David_Risney

2015 Aug 14, 2:20
CreateRemoteThread is much easier to use to crash a remote process than its intended purpose: https://github.com/david-risney/CrashProcess/blob/master/CrashProcess/CrashProcess.cpp …
PermalinkComments

Retweet of simevidas

2015 Jul 26, 8:27
The size of web fonts (per page) quadrupled over the last 2 years: http://httparchive.org/trends.php?s=All&minlabel=Jul+15+2013&maxlabel=Jul+15+2015#bytesFont&reqFont … pic.twitter.com/zl8HgpZDg0
PermalinkComments

fuckyeahpeeweeherman:Pee-wee Herman’s next adventure is coming...

2015 Mar 17, 3:28


fuckyeahpeeweeherman:

Pee-wee Herman’s next adventure is coming to Netflix.

Netflix says the film will be called “Pee-wee’s Big Holiday” and will feature Pee-wee taking his first-ever vacation after meeting a mysterious stranger.

Reubens created the quirky character in the 1980s when he was a member of the Groundlings improv group.

Netflix currently streams the Pee-wee films “Pee-wee’s Big Adventure” and “Big Top Pee-wee,” as well as the TV show “The Pee-wee Herman Show” and “Pee-wee’s Playhouse.”

“Pee-wee’s Big Holiday” is being produced by Judd Apatow and directed by John Lee. Reubens is writing the movie’s script with Paul Rust.

Netflix says production will begin this year.

PermalinkComments

fuckyeahpeeweeherman:Pee-wee Herman’s next adventure is coming...

2015 Mar 17, 3:28


fuckyeahpeeweeherman:

Pee-wee Herman’s next adventure is coming to Netflix.

Netflix says the film will be called “Pee-wee’s Big Holiday” and will feature Pee-wee taking his first-ever vacation after meeting a mysterious stranger.

Reubens created the quirky character in the 1980s when he was a member of the Groundlings improv group.

Netflix currently streams the Pee-wee films “Pee-wee’s Big Adventure” and “Big Top Pee-wee,” as well as the TV show “The Pee-wee Herman Show” and “Pee-wee’s Playhouse.”

“Pee-wee’s Big Holiday” is being produced by Judd Apatow and directed by John Lee. Reubens is writing the movie’s script with Paul Rust.

Netflix says production will begin this year.

PermalinkComments

Retweet of dakami

2015 Mar 4, 4:44
http://ratbagp.blogspot.com/2011/01/howard-strauss.html … Actual quotes re: the introduction of electricity at Princeton.
PermalinkComments

exec($_GET

2014 Apr 29, 8:27

Does it betray my innocence that I’m shocked by the amount of exec($_GET you can easily find on github? Hilarious comment thread on hacker news: 

This is awful. Shell commands are not guaranteed to be idempotent, people! These should all be of the form exec($_POST, not exec($_GET.

ephemeralgomi

PermalinkCommentshumor security http php technical

honeysweetsugaricklepie: Uhh has anyone notice Garry Marshall’s...

2014 Feb 24, 11:57


honeysweetsugaricklepie:

Uhh has anyone notice Garry Marshall’s Wikipedia page?

Hahaha

Wiki user ‘Gillian Marshal’ (http://en.wikipedia.org/w/index.php?title=Garry_Marshall&diff=prev&oldid=596787114) updated his page yesterday. Nice and subtle only editing the summary section on the right.

PermalinkCommentsgary-marshal humor wikipedia gillian-jacobs gillian-marshal comedy-bang-bang

laughingsquid: Arrested Development Season 4 Trailer Brings...

2013 May 13, 2:47


laughingsquid:

Arrested Development Season 4 Trailer Brings Back the Dysfunctional Bluth Family

Come on!

PermalinkCommentshumor trailer arrested-development awesome

 “The disc itself is about 5 inches in diameter. It can record...

2012 Oct 1, 8:21


 “The disc itself is about 5 inches in diameter. It can record one hour of stereo music on one side — and it is only a one-sided disc, it’s not meant to be played on two sides…”

Sony demos the CD at TED in 1984 (by TEDBlogVideo)

PermalinkCommentsvideo cd ted music

Ben Goldacre’s TED talk on publication bias, drug...

2012 Sep 28, 3:55


drug companies hiding the results of clinical trials.

(via I did a new talk at TED, on drug companies and hidden data.)

PermalinkCommentsscience video ted

Stripe CTF - Input validation (Levels 1 & 2)

2012 Sep 6, 5:00

Stripe's web security CTF's Level 1 and level 2 of the Stripe CTF had issues with missing input validation solutions described below.

Level 1

Code

          $filename = 'secret-combination.txt';
extract($_GET);
if (isset($attempt)) {
$combination = trim(file_get_contents($filename));
if ($attempt === $combination) {

Issue

The issue here is the usage of the extract php method which extracts name value pairs from the map input parameter and creates corresponding local variables. However this code uses $_GET which contains a map of name value pairs passed in the query of the URI. The expected behavior is to get an attempt variable out, but since no input validation is done I can provide a filename variable and overwrite the value of $filename. Providing an empty string gives an empty string $combination which I can match with an empty string $attempt. So without knowing the combination I can get past the combination check.

Notes

Code review red flag in this case was the direct use of $_GET with no validation. Instead of using extract the developer could try to extract specifically the attempt variable manually without using extract.

Level 2

Code

    $dest_dir = "uploads/";
$dest = $dest_dir . basename($_FILES["dispic"]["name"]);
$src = $_FILES["dispic"]["tmp_name"];
if (move_uploaded_file($src, $dest)) {
$_SESSION["dispic_url"] = $dest;
chmod($dest, 0644);
echo "

Successfully uploaded your display picture.

";
}

Issue

This code accepts POST uploads of images but with no validation to ensure it is not an arbitrary file. And even though it uses chmod to ensure the file is not executable, things like PHP don't require a file to be executable in order to run them. Accordingly, one can upload a PHP script, then navigate to that script to run it. My PHP script dumped out the contents of the file we're interested in for this level:


Notes

Code review red flags include manual file management, chmod, and use of file and filename inputs without any kind of validation. If this code controlled the filename and ensured that the extension was one of a set of image extensions, this would solve this issue. Due to browser mime sniffing its additionally a good idea to serve a content-type that starts with "image/" for these uploads to ensure browsers treat these as images and not sniff for script or HTML.

PermalinkCommentsinput-validation php security technical

Stripe Web Security CTF Summary

2012 Aug 30, 5:00

I was the 546th person to complete Stripe's web security CTF and again had a ton of fun applying my theoretical knowledge of web security issues to the (semi-)real world. As I went through the levels I thought about what red flags jumped out at me (or should have) that I could apply to future code reviews:

Level Issue Code Review Red Flags
0 Simple SQL injection No encoding when constructing SQL command strings. Constructing SQL command strings instead of SQL API
1 extract($_GET); No input validation.
2 Arbitrary PHP execution No input validation. Allow file uploads. File permissions modification.
3 Advanced SQL injection Constructing SQL command strings instead of SQL API.
4 HTML injection, XSS and CSRF No encoding when constructing HTML. No CSRF counter measures. Passwords stored in plain text. Password displayed on site.
5 Pingback server doesn't need to opt-in n/a - By design protocol issue.
6 Script injection and XSS No encoding while constructing script. Deny list (of dangerous characters). Passwords stored in plain text. Password displayed on site.
7 Length extension attack Custom crypto code. Constructing SQL command string instead of SQL API.
8 Side channel attack Password handling code. Timing attack mitigation too clever.

More about each level in the future.

PermalinkCommentscode-review coding csrf html internet programming script security sql stripe technical web xss

Gangnam Style looks like he’s riding a horse but actually...

2012 Aug 24, 1:29


Gangnam Style looks like he’s riding a horse but actually its satire.

Also, the making of video: http://youtu.be/9HPiBJBCOq8

PermalinkCommentshumor music music-video video psy south-korea
Older Entries Creative Commons License Some rights reserved.